Date: Sat, 12 Jun 2004 07:04:54 -0700 From: richard childers / kg6hac <fscked@pacbell.net> To: freebsd-security@freebsd.org Subject: How do I tell I was hacked? Message-ID: <40CB0D86.9080905@pacbell.net> In-Reply-To: <20040612120107.1D3F116A4E6@hub.freebsd.org> References: <20040612120107.1D3F116A4E6@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>
>
>Date: Sat, 12 Jun 2004 13:15:33 +0200
>From: "Peter Rosa" <prosa@pro.sk>
>Subject: Hacked or not ?
>To: "FreeBSD Security" <freebsd-security@freebsd.org>
>Message-ID: <016301c4506e$947644e0$3501a8c0@pro.sk>
>
>Hi all,
>
>please advice me - I was on holidays for one week. After return I found in
>security mails from router (chkrootkit) following message:
>Checking `lkm'... You have 1 process hidden for readdir command
>You have 1 process hidden for ps command
>Warning: Possible LKM Trojan installed
>
>It apeared only onece. From previous and next days reports, the message is
>not present.
>
>How could I be sure, the machine is not hacked ?
>
>
[1] Make backups. tar(1), dump(8), doesn't matter.
[2] Reinstall identical operating system on new equipment.
[3] Restore backups into large partition sized for this operation
(call it '/backups').
[4] Compare the contents of each directory in /backups recursively
against a known
good copy, For example, to compare /usr against the backed-up
image, do this:
# diff -r /usr /backups/usr
[5] Review the list for files which differ or which do not exist on
the known good copy.
[6] Exclude files for which there are good reasons for difference (IE,
logs and state files).
[7] Analyze the resulting files; pay particular attention to
executables, but also libraries.
You may also find it useful to reload the old operating system onto a
box on an insulated network and monitor the operating system, its
processes and its network traffic, using known good tools.
Regards,
-- richard
--
Richard Childers / Senior Engineer
Daemonized Networking Services
945 Taraval Street, #105
San Francisco, CA 94116 USA
[011.]1.415.759.5571
http://www.daemonized.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (FreeBSD)
mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC
Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G
FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y
RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9
tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q
UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T
co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q
8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa
aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB
IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u
ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW
TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/
q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ
i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7
uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W
Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E
dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH
5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip
1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU
M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ
nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr
anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP
QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM
yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj
F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6
=ZaJO
-----END PGP PUBLIC KEY BLOCK-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40CB0D86.9080905>